The use of social media is endemic. According to Facebook’s own statistics, the social networking giant has an average of 699 million active daily users, 1.15 billion monthly active users, and 819 million monthly active users of mobile products, with approximately 80% of daily active users located outside Canada and the US.

The European Commission’s statistical office, Eurostat, has said that more than half of all internet users post messages to social media. In 2012, a Eurostat survey showed Portugal to have the highest percentage of users who posted messages to social media (75%), with France and Germany having the lowest percentage of social media users (40% and 42% respectively). Eurostat figures from 2011 show an average of 38% of individuals aged between 16 and 74 participated in social networks in 2011, with a proportion of 80% of users aged 16-24. Social networks “play a vital role for maintaining social contacts among the younger age group,” according to Eurostat.

Originally published in Privacy and Data Protection Journal, Vol. 4, Iss. 1 on November 5, 2013.

T he use of social media is endemic. According to Facebook’s own statistics, the social networking giant has an average of 699 million active daily users, 1.15 billion monthly active users, and 819 million monthly active users of mobile products, with approximately 80% of daily active users located outside Canada and the US. The European Commission’s statistical office, Eurostat, has said that more than half of all internet users post messages to social media. In 2012, a Eurostat survey showed Portugal to have the highest percentage of users who posted messages to social media (75%), with France and Germany having the lowest percentage of social media users (40% and 42% respectively). Eurostat figures from 2011 show an average of 38% of individuals aged between 16 and 74 participated in social networks in 2011, with a proportion of 80% of users aged 16-24. Social networks “play a vital role for maintaining social contacts among the younger age group,” according to Eurostat. Companies are trying to harness the potential of such pervasive use of social media; company-sponsored blogs, Twitter profiles, Facebook pages, and other Web 2.0 presences are becoming increasingly common. However, there are potential pitfalls associated with use of social media, for both the organisations’ employees and the organisations, often relating to alleged misconduct of employees using social media. UK case law analysis The UK High Court of Justice ruled in November 2012 that an employer cannot lawfully demote an employee on the grounds of gross misconduct for a Facebook post that did not violate internal policies. In the case (Smith v Trafford Housing Trust), an employee of the Trafford Housing Trust, a local housing authority, was demoted by his employer, with a 40% salary cut. The employee had posted comments opposing gay marriage in the Christian Church on Facebook, in response to a question on his personal page. The employer took the view that the comments, although posted outside of working hours and not visible to the general public, broke the housing trust’s code of conduct by expressing views which might upset or cause offence to other employees. However, the employee successfully sued for breach of contract. The Court found that the comments were not damaging to the employer’s or other employees’ reputations, and that they did not constitute harassment as they were not related to the employer, employees, or customers. The employer cited the Stafford Housing Trust’s internal Code of Conduct and Equal Opportunities Policy and argued that, as a quasi-public sector organisation, the employee’s views could undermine its credibility with respect to diversity issues. However, the Court rejected this argument and commented that adopting an Equal Opportunities Policy ‘inevitably involves employing persons with widely different religious and political beliefs’, and that it was therefore possible that such beliefs would not be aligned with those of the employer. The Court also considered that an internal policy restricting an employee’s freedom to express their beliefs could not extend into every aspect of his/her personal or social life outside of work – even where it purported to do so. The Court gave particular weight to the fact that the Facebook page was a personal page of the employee, and although it did identify him as a manager employed by the housing trust, the Court ruled that no reasonable person would think he was expressing the employer’s views in such context. Further, having 45 work colleagues as Facebook ‘friends’ did not make a personal page work-related. It is, however, worth considering whether, if the employee had posted the same comments on, say, LinkedIn, the Court would have reached the same conclusion as to whether the page was work-related. A key difference between the Trafford Housing Trust case and prior reported UK cases is that, in previous cases, the courts invariably found that the comments made by employees were damaging to their employers’ or colleagues’ reputations or constituted harassment. For example, in 2011, an employee was found to have been (Continued on page 10) Ann Bevitt and Karin Retzer, from Morrison & Foerster LLP, identify the potential pitfalls of social media use from an employer’s perspective, analyse recent case law and guidance on social media, and provide practical advice on how to avoid the pitfalls by implementing clear and comprehensive social media and technology usage policies Employees’ use of social media — navigating the potential pitfalls w w w . p d p j o u r n a l s . c o m PRIVACY & DATA PROTECTION VOLUME 14, ISSUE 1 fairly dismissed for gross misconduct after posting inappropriate comments about two customers who had verbally abused and threatened her, on her Facebook page, and in breach of her employer’s email and internet policy (Preece v JD Wetherspoons plc). In another case (Teggart v TeleTech UK Ltd NIIT), an employee was found to have been fairly dismissed for harassment amounting to gross misconduct after posting obscene comments about a colleague’s supposed promiscuity on his Facebook page. Finally, in a further case in 2011, the court found that an employee was unfairly dismissed after making derogatory comments on her Facebook account about her workplace after a difficult day at work (Whitham v Club 24 Ltd). The comments were visible to her Facebook friends but not to other members of the public. The court held that the comments were ‘relatively minor’, and did not specifically refer to a client; further, there was no evidence of any actual or likely harm to a client relationship. What is clear from all of these cases is that it is very important for a UK employer wishing to take disciplinary action in response to an employee’s use of social media to characterise the specific type of misconduct relied upon. In most cases this is likely to be damage to the employer’s reputation or client relationships. The employer should also be prepared for the employee to argue that the conduct complained of took place outside work, and that his/her right to privacy has therefore been infringed. Cases elsewhere in Europe In Germany, the Hamm Appeals Court has held for the first time that Facebook comments of an employee are not private or confidential, and that an employer may terminate an employee because of his Facebook statements (LAG Hamm, Urteil vom 2013). In the case, a 26-year -old trainee referred to his employer on his Facebook profile as ‘Leuteschinder& Ausbeuter’ (an exploiter) and his job as ‘stupid shit for minimum wage’. When the employer discovered the comments, the trainee was dismissed, and he subsequently filed a claim for unfair dismissal at the Court. The Bochum Labor Court declared the termination of the trainee to be invalid. However, the employer appealed to the Hamm Appeal Court and won. The Hamm Appeals Court found that the statements were insulting, and ruled that the trainee could not expect that posting such comments would not have consequences when visible on a public site, rather than in Facebook’s restricted sessions. While the Court emphasised that the employee was entitled to privacy protections and freedom of expression, employees should not (erroneously) believe that statements on social media are always ‘private’ and therefore of no concern to the employer and without effect on labour relations. In a recent case in Ireland (Toland v. Marks & Spencer 2013) which examined use of social media from a slightly different angle, the Irish Employment Appeals Tribunal ruled that an employee had been unfairly dismissed for comments posted on an unnamed social networking site. In the case, an employee of major retailer Marks & Spencer had commented on a number of posts made by a colleague about a manager at the store. Marks & Spencer argued that the employee had acted in violation of its Social Networking Policy; however, the employee claimed that she had never seen such a policy. Further, the employer failed to provide evidence of a proper, graded disciplinary procedure and had ‘put adherence to company policy over a fair and open consideration of the case’ and the Tribunal ruled that therefore the dismissal was unfair. However, the Tribunal also acknowledged that the employee had contributed to her own dismissal by ‘careless misuse’ of social media, and thus reduced the amount of compensation awarded to her. Analysis of recent guidance on social media As far back as 2009, the EU Article 29 Working Party adopted an opinion on online social networks (Opinion 5/2009 on online social networking of 12th June 2009), setting out a common approach for data protection authorities in Europe. In December 2011, the German consortium of data protection regulators, the Düsseldorfer Kreis, published guidance on Data Protection and Social Networks, and in July 2013, the UK Information Commissioner’s Office (‘ICO’) issued guidance on social media and the law (‘Social networks and online forums: (Continued from page 9) w w w . p d p j o u r n a l s . c o m PRIVACY & DATA PROTECTION VOLUME 14, ISSUE 1 “What is clear from all of these cases is that it is very important for a UK employer wishing to take disciplinary action in response to an employee’s use of social media to characterise the specific type of misconduct relied upon. In most cases this is likely to be damage to the employer’s reputation or client relationships. The employer should also be prepared for the employee to argue that the conduct complained of took place outside work, and that his/her right to privacy has therefore been infringed.” When does the DPA apply?’). The guidance published by the Düsseldorfer Kreis recommends that users be provided with comprehensive and clear notice about the data that will be collected and processed, and the purposes of the processing, and be expressly and clearly informed of their access and correction rights, their right to object to the processing of personal data, as well as the contact details for an easily accessible (perhaps local) contact person. Prior explicit consent is required for the processing of any data that are not essential for the purposes of membership to the social network, and prior consent is also required for the processing of biometric data and images for facial recognition technology. Default settings must be to not collect, use, or share data, and any deviation from this is subject to explicit consent unless the data must be used to fulfil the membership agreement. Finally, all data must be deleted after termination of the membership. The ICO’s guidance also makes clear that organisations that post personal data on their own or a third party’s website need to comply with the UK’s data protection legislation, as do those that run websites that allow third parties to add comments or posts about living individuals. Such data controllers should take ‘reasonable steps’ to ensure that personal data are accurate and have clear and prominent policies for users about acceptable and non-acceptable posts, easy-to-find procedures in place for data subjects to dispute the accuracy of posts and ask for them to be removed, and procedures to respond to disputes quickly and to remove or suspend access to content, at least until such time as a dispute has been settled. Internal policies As is clear from the review of relevant case law, an inevitable consequence of having a diverse workforce is that employees have different views. Employers are, of course, entitled to take steps to protect their business, but must bear in mind that employees also have a right to freedom of expression. Accordingly, employers should not try to censor employees, or influence their views on particular issues; rather, they should encourage debate in a manner that is respectful to others. To do so, employers should have clear policies in place, making it plain to employees what will and will not be considered to be acceptable behaviour. When crafting social media or other related internal policies, employers should ensure that they differentiate between instances where employees might express personal views (although such views may be unpopular or contrary to the employer’s views or beliefs) and situations where such expression would be damaging to the employer’s business, business relationships, or to its or its customers’ or employees’ reputations. Employers should also ensure that they act reasonably when enforcing those policies, and try to balance the right of an individual to express his or her view, against behaviour that is, or is likely to be, considered offensive or damaging. Needless to say, each case will turn on its particular facts, but following the approach outlined below should help employers to avoid some of the more obvious pitfalls associated with employees’ use of social media: ?? the employer should consider whether it is appropriate to have one set of rules applicable to all employees or specific rules for specific groups of employees, such as IT staff or HR. If the latter, the employer should nevertheless ensure consistency in application, as far as possible; ?? policies should be focused, clear, and concise. Any ambiguity will be construed against the employer; ?? harassment, bullying, victimisation, defamation and negative comments about the business should be expressly prohibited; ?? employers should ensure that the policy is also integrated consistently into other relevant documentation such as the IT use policy, BYOD policy, disciplinary rules and employment contracts; ?? employer’s should make it clear to employees that if monitoring is to be used, such monitoring should comply with the policy. Further, any necessary steps associated with such monitoring, e.g., consultation with works councils, should be taken; ?? there is no point in having the perfect policy if employees do not know about it. Employers should consider creative ways of delivering the policy so that employees are aware of and become familiar with its content, e.g., via a short video or slide show; ?? it is vital that employees understand that confidentiality, privacy, privileged information and business secrecy must be protected, and the use of third party intellectual property prohibited at all times, including when using social media. For example, employees should not discuss personal data or personal issues known to them in the course of, or as a result of, their work duties, such as other employees’ salaries or medical conditions; ?? when posting content on social media, employers should require employees to clearly state that they are expressing a personal view, and ask them to identify themselves as employees if they are commenting on company products or services; and ?? finally, it is good practice to establish a social media ‘etiquette’ and encourage employees to use common sense and good judgment, just as they would in other forms of work-related communication. However, employers should be reasonable and avoid restrictions which provide little or no benefit to the company, and which could be seen as oppressive or inviting non-compliance. Ann Bevitt and Karin Retzer Morrison & Foerster LLP kretzer@mofo.com abevitt@mofo.com w w w . p d p j o u r n a l s . c o m PRIVACY & DATA PROTECTION VOLUME 14, ISSUE 1

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

All the intelligence you need, in one easy email:

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.